As I said before, there are a lot of lessons for payload authors here.
- Don't include the real payload (stage 2) in everyone infected, only in those who are exploited. Infection (stage 1) should just enable delivery.
- Always encrypt and sign your payloads, both for confidentiallity and to make sure others can't use your backdoor.
- Make sure captured payloads can not be replayed against everyone
- Don't phone home
- Make sure your stack is aligned!
- Stash your stage 1 in files that evade scrutiny (a unit test case file was good, but now that's been burned and people will be looking closer at those, at least for a while)
- If you do put a payload in a unit test, be sure to write a test that uses said file, and add some chaff so it's not immediately obvious that it's an obfuscated shell script