Unexpected mass reboots are worth investigating
An ISC reader told us that his company observed a large number of their PCs unexpectedly reboot at around 18:00 Central Time yesterday, with nothing in the event logs to show a shutdown sequence.
Is this organization dealing with a large-scale malware infection? Possibly. A malicious program could be rebooting the systems to embed itself deep in the OS, or to disable an anti-virus tool. Of course, the reboots could also be the result of a less malevolent incident, such as a bug in a benign program.
Regardless, unexpected mass reboots are certainly worth investigating. Anyone else encountering them lately?
Update: An ISC reader pointed out that a common cause of unexpected reboots without Event Log entries is a power outage. Desktops would reboot; laptops would typically stay up. Great point!
-- Lenny
Lenny Zeltser - Security Consulting
Lenny teaches a SANS course on analyzing malware.
Comments