So i was working on a article on using HackerDefender rootkit. Hopefully it will be published soon, i'll update on that when/if it happens. During the course of doing the demo for it i wanted to see how the metasploit killAV meterpeter script would do against mcaffee. it didnt do well at all, the mcaffee AV had something running that i couldnt turn it off using that script or with task manager, but if you turned off the "on protect" you could run the script and kill the rest of the AV on the box. of further interest and calls for more research is the stack overflow prevention that stopped a simple metasploit attack cold :-( i'm gonna play and see if there are ways around that either with encoding or if it protects against heap overflows.
anyway, assuming they dont have the stack protection on and you can get a shell, the easiest thing may be a vnc payload where you can just disable the AV by hand (virtual hand) and then upload your rootkit on the box. that brings the whole someone may see you doing it issue but will still get the job done.
more to follow if the ADD doesnt kick in too bad and i get off on a different tangent.