Some time ago, while I was helping a law enforcement agency track a wanted mobter boss, I came across one of his trusted people's computer. He and I were connected to the same insecure wireless at a cafe. After some scanning and running several little exploits I managed to get a shell to his Windows XP machine.
Putting aside the fact that his XP wasn't updated and that XP is the easiest Windows to penetrate, he didn't have any firewall, antivirus or any other security program on his laptop. Initially I thought the laptop was one of those *burn* computers: use once and discard, so I was hesitant to leave there any backdoor, however he was the only lead we had to the boss. I installed a little backdoor.
The backdoor program would try to connect to a server I had ready. Just send a "I'm alive" signal via an HTTP GET that was injected into any application connected to the internet as soon as the laptop connected to a new network (different from the one we were connected at that moment). The idea was to piggy back into an app already connected and try to remain hidden like that.
I wasn't sure it would work because the more I searched the laptop, the more I thought this was a burn computer. My hope, though, was that this guy would eventually connect to a network where either the boss was connected or that we could find data belonging to the organization; maybe this last part would help us find the boss.
For several weeks my *listening* program didn't get any signals. Then, when I was to shut down the server, I had one.