The question should be...
..how it got on there, but how the ******** hell it spread. Let me guess the AV hasn't been updated since 2007.
Oh Linux / Mac FB's. Please be quiet.....
Manchester police were once again able to run inquiries on the Police National Computer on Wednesday morning, after techies purged a Conficker worm infection from the force's network. The malware infection left cops unable to run PNC checks on suspect persons or vehicles between Friday evening - when a decision to disconnect …
Last week we had "New Dawn Fades" and "Isolation" by Joy Division, now there's the Smiths.
Are you guys in the Reg office having a competition whenever an article mentions Manchester of late?
Will New Order fans rise up next since there are plenty of song titles that could easily be quoted too?
So not only do Manchester police allow people to attach USB memory sticks to machines containing sensitive information they also don't bother to virus check them. Nice to know that the people responsible for policing our streets take security so seriously.
"Conficker, which originally spread in November 2008 by taking advantage of a Windows vulnerability"
That vulerability was only one of conficker's attack vectors. I've seen plenty of infections where that particular hole has been patched. What made conficker so effective is that it had so many attack vectors, close one hole and it still found another way in.
The best way to protect against it is up to date AV software. Back in 2008 a lot of pundits were telling us that there was no more need for traditional AV software and that other solutions would be more effective. Then along came a chunk of malware for which the best defence was traditional AV software. Handy coincidence for some software vendors.
The last time I had to deal with Conficker was in December. The version that infected a small network was not like the 2008 version.
It infected fully patched computers.
It was not detected by McAfee at all, Sophos detected it and removed it from memory but it came back on reboot. Trend was able to remove it.
Following a recent event I would go with the USB key as an intoductory source as well.
I recently attended a local government event concerning educational choices and at the end was provided with a 1gb USB key for completing a short questionaire on the event. Upon returning home I puched it into my daughters laptop just to see if they had included any presentation or further information. I was a little surprised to find that the only thing included was a copy of the conficker virus which wasn't what I was expecting. Fortunately I do like to keep the anti virus up to date on the kids computers so it didn't cause a problem. I did wonder how many of the hundreds of other USB sticks they gave away would have ended up in unprotected computers.
When I called the next day to advise them they didn't seems overly interested or concerned but then again I wasn't really talking to anybody who would understand.
It took us over a week. And I'll bet the thing got in for the same reasons: special case kit that couldn't run AV, and users who lobbied for autorun (you only need the ear of one director and all the best practice in the world gets thrown out), and a budget limited more to firefighting than comprehensive security lockdown.
Can't speak for GM Police but the MCC IT department was spectacularly useless when it came to dealing with conficker - the techs dealing with the infection themselves were doing a grand job but they were hampered by a ridiculous security policy and the insistence of, amongst others, chief execs on having their computers released from most of the security restrictions. Then there was the problem of parts of the IT department being lazy and doing nothing when emergency directives were coming through. The IT guy in our officee (a manager with nobody to manage) spent most of it sleeping.
Then there was the whole problem of computers getting re-infected because those same security policies often prevented the installation of security updates to deal with the infection. And finally, reliance on Microsoft for *everything* (yes, even their web servers) meant that there were places it could hide all the time. It took them a year to clear everything out. Wouldn't surprise me if there's still a computer lurking somewhere with an infection just waiting to be turned on again.
And their security polices are still contradictory shit. Not even close enough for government work.
Anon for obvious reasons.
An external contractor bought it in on a USB drive and infected a test PC we were using, fortunately we had patched the general network and we run the XP firewall so it couldn't spread over the network. The problem with bringing it in on a USB drive is that an administrator can of course then infect the system, I tried but couldn't infect a PC when logged on as a restricted user. This is another reason that users should NOT be administrators on their PC's, I've found very few apps that can't be run as a restricted user any that don't run usually just require write access to a couple of files or folders. A few mins with Regmon, Filemon or Process Explorer will sort that.
Oh and upto date anti virus please if you can't so that then a firewall and USB drives disabled. I appreciate the above post about people in power demanding more access i'd always make my feelings known in writing if necessary so the blame doesn't come your way.
"Oh Linux / Mac FB's. Please be quiet....."
But...but.... well, OK then.
Why can't these guys keep their systems at least minimally up to date or secure?!? Forget the virus scanners... The computer the stick was directly plugged into should have autorun turned off. And then it should not have been able to spread to other systems, since they should not have had the vulnerabilities cornficker would use for quite a loooong time.