Greater Manchester Police computers infected by Conficker virus

Greater Manchester Police disconnected from the Police National Computer since Friday

Conficker infects Greater Manchester Police IT systems

The Conficker virus has infected Greater Manchester Police (GMP) IT systems, necessitating their isolation from the Police National Computer (PNC) system.

PNC IT experts disconnected GMP’s system from the central database last Friday. GMP has since been asking neighbouring forces to carry out name and vehicle checks on its behalf.

Speaking to the BBC, assistant chief constable Dave Thompson said no data had been lost and that the virus was not destructive, but gave no details of whether it was a variant of the original virus.

"A team of experts is now working on removing the virus, and we won't be reconnected until we are sure there is no further threat," said Thompson.

"We have systems in place to ensure this does not affect our service to the communities of Greater Manchester, but at this stage it is not clear where the virus has come from, but we are investigating how it happened and will be taking steps to prevent it from happening again," he added.

The Conficker virus can be spread by USB sticks, especially if the system they plug into has the autorun feature enabled, which will run any executables – such as the virus – when the stick is plugged in.

Security vendors' products which have centralised monitoring of desktop systems can set off autorun by default, or only allow system access to specific USB keys – called USB port access control. The ultimate protection can be obtained by setting up the security software to disable all USB ports, and some IT managers have physically blocked up the ports to stop people using USB devices.

Conficker began in 2008, but was patched by Microsoft in October 2008 (MS08-067). Microsoft’s website records five variants of Conficker A to E, and the software giant has offered a reward for the discovery of the author of the initial version of the virus.

It was the second variant of Conficker ('B') detected in December 2008 which added the feature to propagate through USB devices.

Security vendor Sophos’s senior technology consultant Graham Cluley said on his popular blog: “My guess is that it's most likely that it infected the police systems via an infected USB stick. After all, they have had well over a year to put the Microsoft patch in place.”

Cluley pointed out that although companies cannot strip-search employees to stop them bringing USB sticks inside the firewall, there are steps that can be taken by vigilant IT managers to minimise the risk. “More and more organisations are looking to USB port access control – it doesn't just help stop malware, it can stop sensitive data from leaking out too,” said Cluley.

The PNC allows police forces to search a criminal names database using QUEST (Querying Using Enhanced Search Techniques), as well as a vehicle query function called VODS (Vehicle Online Descriptive Search) and Automatic Number Plate Recognition (ANPR).

The system also gives web-based access to CRIMELINK – an enhanced version of the Comparative Case Analysis Tool (CCA), used to help solve serious serial-type crimes through pattern recognition to link incident similarities.

This is not the first time Manchester has had a run in with Conficker. In February 2009, Manchester City Council’s IT system was infected, causing an estimated £1.5m of disruption, believed to have been caused by USB memory devices.