When dealing with an unknown binary, the first step is to determine what kind of executable it is:

$ file the-binary
the-binary: ELF 32-bit LSB executable, Intel 80386, version 1, statically linked, stripped

So, for now we know that

Let's have a look at the interesting strings we can find in the binary:

$ strings -n 8 the-binary | wc -l
368

There are quite many strings, but if we ignore those which can be found in standard libraries (using strings), we end up with:

9:uLAj;j
9:u!Aj;j
[mingetty]
/tmp/.hj237349
/bin/csh -f -c "%s" 1> %s 2>&1
/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin/:.
HISTFILE
/bin/csh -f -c "%s"
So, first preliminary hypotheses: Now comes the more difficult part - reading the code. A quick session in gdb and objdump reveals the following: