Is there any way to estimate the safety of arbitrary binaries, which are usually released with unofficial patches?

Question

Frequent scenario:

• An old game is released on GOG / Steam.
• It proves to be incompatible with new Windows systems. (Crashes, game breaking bugs, fps of 0.5 and the likes)
• An unofficial patch is released by the fanbase, either for this particular game or for a range of games that use <obsolete technology X>. This unofficial patch is released in the form of a .exe file that is supposed to repleace the game's main executable, a .dll to be placed in the game's folder, or instructions how to manually patch the game's executable. Sometimes the patch is even released on github with source code.

My question is, how to estimate the safety of those binaries?

• I suppose that it is hardly possible to include malware by arbitrarily changing a few bytes in the executable; so this should be safe;
• Github binaries with source code provided should hopefully be safe, though I may be naive here, especially since out of box builds may differ from the source code
• Arbitrary executables provided on fansites dedicated to the game are only as safe as the site is reputable... but that's an odd way to say that if the admin isn't known to have included malware within past 10 yrs they're unlikely to include malware now?

Bottom line: * Is the only reasonable approach to never run any binaries from the interet outside of the virtual machine unless they've been tried by half of the world already (I mean cases like League of Legends or even Battle for Wesnoth), at least if I don't want to see that my files were encrypted and I have to pay XXX BTC to have them decrypted; * Or are there any other ways to estimate the safety of an arbitrary binary?

Answer 1

I suppose that it is hardly possible to include malware by arbitrarily changing a few bytes in the executable; so this should be safe;

Viruses can easily be as small as about 50 bytes of code, so changing a few bytes isn't an indicator. Granted, most AV can detect viruses this small, so the risk is minimal, but be aware that it doesn't take much to turn a normal executable into a bomb.

Github binaries with source code provided should hopefully be safe, though I may be naive here, especially since out of box builds may differ from the source code.

True, your best bet is to build your own binary, but Open Source Software tends to be safer only because there are so many people looking at it. If something was amiss, it'd probably be reported before it had a chance to do much harm (but, note that things like Heartbleed still get out in the wild despite such assurances, so it's not foolproof).

Arbitrary executables provided on fansites dedicated to the game are only as safe as the site is reputable... but that's an odd way to say that if the admin isn't known to have included malware within past 10 yrs they're unlikely to include malware now?

On the internet, reputation tends to be important. That's why sites like Stack Overflow actually work. I would say that over 99% of "fan sites" are probably likely to be legitimate, because almost nobody wants to be the one that tarnishes the image of their beloved franchise. However, it's no guarantee. People that are out to do harm will most likely fake their 10 year reputation in order to seem legit, because ten years just to plant a virus isn't practical.

---

Overall, the only way to stay 100% safe is to never run any code from anyone ever. There's always a risk. You can reduce the risk by using legitimate sites, but even those can be hacked. Always use an up-to-date antivirus, always check signatures, and always have backups. And always backup your data. There, said it twice. As long as you have everything backed up, you should be good to go. Real fans won't harm your computer, but be aware of posers that will. Almost all "pirates" prefer their reputation over doing damage, it's the scammers and crackers you should be worried about.