July 29, 2012 at 1:02 PM ET
How two Pakistani brothers and one piece of runaway code created the anti-virus industry.
It was early 1987, and security expert Roger Thompson had just seen his first computer virus, in a programming class at a technical college in Brisbane, Australia. "Back in those days, there really weren't any programs you could use to look for these things," recalls Thompson, who now works for anti-virus company AVG. "Somebody just handed me a disk." On the boot sector of the disk, there was a program called Brain.
"I took a look at the computer to see where it had written itself, and it wasn't anywhere on the hard drive. I thought, 'Oh, it's not a virus at all.' So I just moved on and put another disk in. Suddenly the virus was on the second disk. It was seeding every floppy I put in."
Prank programs had been around as long as there were computers to run them on, but truly self-replicating code hadn't been seen outside of university computer labs. The code was hovering in working memory, copying itself onto the boot sector of every disk that entered the machine. The program was non-destructive, but virulent — and because those 5 1/4-inch disks were the only way to move data onto or off of a computer, Brain was able to span half the globe by the time it arrived in Brisbane.
Once Thompson isolated the code, he found an even bigger surprise. The creators' names were written into every copy: Basit & Amjad Alvi of Brain Computer Services, Lahore, Pakistan.
By the end of the year, Brain had spread through America and most of Europe, hopping from disk to disk, computer to computer. To leap across the ocean — to reach Roger Thompson in Brisbane, say — someone had to take an infected floppy onto a plane or ship. This was before the web: It was a lot harder to cross the ocean. And as the virus spread, so did the rumors: Was this some kind of revenge against software pirates? Were the brothers trying to kick off an IT security firm?
The truth is less dramatic. As Amjad describes it to BuzzFeed, he and his brother were just playing around with assembly language: "At the time, there were not multi-tasking OSs or multi-tasking programs, so we found some interesting code that stayed resident in the background of the memory." It was a powerful trick. "For more than a year, we were experimenting, just learning things. It was not planned that we were going to make a virus."
Patient zero was a hospital in the provincial capital of Quetta, 600 miles west of Lahore. In the fall of 1986, the Alvi brothers visited the hospital to install some software they'd developed. On the way, Amjad realized one of his disks was infected with the self-replicating program they'd been experimenting with. He decided to leave it there. "If someone wanted to steal my program, I figured I would know that program was stolen from that specific, isolated medical computer," he says. Having left it on a business computer in rural Pakistan, there was no reason to think the program would spread.
It took two years for Amjad to get his first call. Thanks to the time difference, it came in the middle of the night, from a student reporter at Miami University. She had found his number on a floppy disk.
There had been computer viruses in labs before, most notably Fred Cohen's experiements at USC in the early 1980s, but as long as the programs were confined to a lab, it was impossible to know how quickly or thoroughly they might spread. Simply releasing a program into the wild was impossible, due to ethics concerns, so it took a minor pandemic like Brain to make the IT world take notice. As Thompson puts it, "Nobody actually believed viruses existed until they got one, and then they became a believer right away."
Within a year of Brain's release, John McAfee and Eugene Kaspersky had both set up shop selling virus protection software. Shortly after, F-Secure in Finland, F-Prot in Iceland and Doctor Solomon's Antivirus in England followed suit, along with Thompson's own Leprechaun Software. Suddenly, anyone with a digital infrastructure was aware of the risk posed by viruses, and willing to pay money to protect themselves. A new industry sprang up in the space of a few years.
The Alvi brothers, for the most part, were left out. The western anti-virus businesses had little interest in cornering the Pakistani market, and in the years it took Brain to spread, Basit and Amjad moved on to other interests. Brain Inc. is a telecom company now. In 1998, they installed Pakistan's first high-speed fiber network. Even with the rise of militarized malware like Flame, Mr. Alvi hasn't seen much reason to get back into the anti-virus business. "If there can be a physical assault there can be a cyber assault as well," he told us. "It is not any different in my opinion." And for an honest man, coding viruses isn't much of a business opportunity.