Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Unexpected mass reboots are worth investigating

Published: 2009-01-22
Last Updated: 2009-01-22 16:19:07 UTC
by Lenny Zeltser (Version: 2)
3 comment(s)

An ISC reader told us that his company observed a large number of their PCs unexpectedly reboot at around 18:00 Central Time yesterday, with nothing in the event logs to show a shutdown sequence.

Is this organization dealing with a large-scale malware infection? Possibly. A malicious program could be rebooting the systems to embed itself deep in the OS, or to disable an anti-virus tool. Of course, the reboots could also be the result of a less malevolent incident, such as a bug in a benign program.

Regardless, unexpected mass reboots are certainly worth investigating. Anyone else encountering them lately?

Update: An ISC reader pointed out that a common cause of unexpected reboots without Event Log entries is a power outage. Desktops would reboot; laptops would typically stay up. Great point!

-- Lenny

Lenny Zeltser - Security Consulting
Lenny teaches a SANS course on analyzing malware.

3 comment(s)
Diary Archives