Original URL: http://www.theregister.co.uk/2010/02/02/gmp_conficker/
Manchester cops clobbered by Conficker
PCs' PCs still unplugged from PNC
Greater Manchester Police's computer network has been infected by the infamous Conficker worm, leaving beat cops unable to run computer checks on suspected criminals and vehicles for the last three days.
The malware was likely introduced into the GMP network after an already infected memory stick was plugged into a Windows PC.
Conficker (aka Downadup) began spreading on Friday evening leading to a decision to disconnect GMP systems from the Police National Computer (PNC) while the malware outbreak was contained. Police were obliged to call contacts in neighbouring forces in order to run PNC checks, the Manchester Evening News reports.
GMP's incident log crime recording systems was not affected by the malware outbreak, which was brought under control by Monday afternoon. GMP's reconnection to the PNC is yet to happen at the time of writing on Tuesday lunchtime, but this is likely to happen later today.
GMP assistant chief constable Dave Thompson said in a statement that the service the force offered to the public was not affected by the Conficker outbreak. The GMP's website and associated blogs also remained up and running during the incident.
On Friday 29 January 2010, a virus was identified within GMP the IT system.
The virus, Conficker, is not destructive and no data has been lost but due to the speed it has spread we have temporarily cut off our access to the Police National Computer and other Criminal Justice systems to prevent further infection.
A team of experts is now working on removing the virus, and will not reconnect until we are sure there is no further threat.
We have systems in place to ensure this does not affect our service to the communities of Greater Manchester.
At this stage it is not clear where the virus has come from but we are investigating how this has happened and will be taking steps to prevent this from happening again.
Information security experts reckon it's unlikely that GMP, Britain's third biggest police force, was deliberately targeted for attack. Previous victims of Conficker have included the UK Ministry of Defence, parliament and Manchester Council. The February 2009 incident cost council tax payers £1.5m in lost parking ticket revenue and security consultant fees.
Officers and civilian staff have been warned against using unauthorised USB flash drives and advised to run regular security scans using up to date anti-virus software. GMP employs 8,200 police officers and 4,100 civilian staff.
A GMP spokesman said it was yet to determine if an infected memory stick was to blame for the spread of malware across the force's systems, though it is the more likely scenario than the alternative explanation of infection from a connected network that took advantage of unpatched systems at GMP.
Jason Holloway, sales manager Northern Europe for secure USB drive vendor SanDisk, said: "Conventional USB flash drives are a key method for spreading these infections stealthily, and without the drive’s user being aware – as both Ealing and Manchester Councils found last year."
"Virus scanning has to extend beyond the PC to all types of removable storage. Better still, employees should only be able to use authorised flash drives that include on-board antivirus scanning. This ensures that users can’t turn off, disable or work around the protection, and would stop these infections from spreading."
Graham Cluley, a senior security consultant at Sophos, agreed with Holloway that the Conficker infection at GMP can most likely be traced back to an infected memory stick. Organisations need to control access to USB ports to clamp down on what has become a major route of virus infection over recent years, he added.
"Conficker, which was first encountered in late 2008 and created a hystericane of media interest in March last year, spreads via a variety of methods - but my guess is that it's most likely that it infected the police systems via an infected USB stick," Cluley wrote in a blog post on the GMP outbreak. "After all, they've had well over a year to put the Microsoft patch in place.
"Malware like the Conficker worm can spread via infected memory sticks, taking advantage of the AutoRun facility to execute on computers, and has been a common route for virus distribution in recent years. The problem was such that it encouraged Microsoft to improve the way AutoPlay worked in Windows 7." ®