Investigating untrusted programs

Running any untrusted code to see what it does is a bad idea

 $ strings unknownprogram
 ...
 /ova/ez -es / 2>/qri/ahyy
 ...

 $ ./unknownprogram
 (disk spins a lot...)

Little did you know, '/ova/ez -es /' is actually "/bin/rm -rf / 2>/dev/null" encrypted with rot13.  

When the program runs, it decodes the string and calls it via system().