But there are a number of things that can be done:
- always verify the checksum (if available), in case the download mirror (but not the web site itself) got compromised.
- check for strange strings in the binary (use "strings" and "grep"). E.g. URLs
- scan the downloaded file on Jotti or VirusTotal.
- unpack the binary manually with 7-zip or similar if it's a self-extracting file.
- check installation scripts, build files, etc. (if applicable).
- if downloading source code, check a couple of files at random. Will most likely not protect you, but if everyone does it, it helps detecting embedded malware (or bugs) early.
- run "strace" (Linux/Unix) or "FileMon" (Windows) or similar software and log what the software does when you install and run it for the first time.
- and check Hacker New regularly ;)