i been wondering.
consider if program executes this call

execl("/bin/sh", "echo", NULL);

Say this was remote backdoor then the "echo" is used to mask the fact
that there is a shell running.
I tried this but ps program displayed.   echo (sh)
I wonder where that (sh)  came from.
Also is there an easy way to circumvent addition of that (sh)?  What if
process forks does it stay?