Last assessment I was on I was on the "remote" end of the shell. We had people in another state doing the on site and sending shells back so we could simulate remote and local attackers.
interesting things come up when you have people looking for your outbound shell, mostly WTF do you do when your connect back domain name is poisoned or your IP blocked and how do you hide that traffic. maybe in some cases that 3am hack sessions ISNT a good idea better to blend in with that morning checking email traffic.
at BH D.C. Sinan Eren gave his IO Immunity Style talk, it was a good talk and interesting considering they were able to take all the time they needed and 0day was ok. But most importantly was their backdoor PINK. PINK help solve some of the C&C problems with botnets or even backdoors, namely how do I keep tabs on the boxes even though i dont necessarily want them to do anything. PINK had a pretty cool way of doing that where you put commands on a blog (signed and encrypted...booyah) and the backdoor would go out and query that page for what to do next, pretty cool way of doing it. It would also wait and only do those queries if there was activity on the box i dont remember if it was network activity or just keyboard/mouse activity either way it was a good idea. only sending web traffic when someone was actually logged in is definitely a better way to blend in.
Tom Liston also talked about some malware at last year's ChicagoCon that would query some website and get its command from comments in the HTML code, again pretty slick.
so what's the point, i guess the point is cover your ass and have multiple ways of keeping that communication going or really know your target's monitoring capabilities to see what method will best keep your shell.
not so much the post but the comments are good
IO Immunityinc style talk