Unexpected mass reboots are worth investigating

Published: 2009-01-22
Last Updated: 2009-01-22 16:19:07 UTC
by Lenny Zeltser (Version: 2)
3 comment(s)

An ISC reader told us that his company observed a large number of their PCs unexpectedly reboot at around 18:00 Central Time yesterday, with nothing in the event logs to show a shutdown sequence.

Is this organization dealing with a large-scale malware infection? Possibly. A malicious program could be rebooting the systems to embed itself deep in the OS, or to disable an anti-virus tool. Of course, the reboots could also be the result of a less malevolent incident, such as a bug in a benign program.

Regardless, unexpected mass reboots are certainly worth investigating. Anyone else encountering them lately?

Update: An ISC reader pointed out that a common cause of unexpected reboots without Event Log entries is a power outage. Desktops would reboot; laptops would typically stay up. Great point!

-- Lenny

Lenny Zeltser - Security Consulting
Lenny teaches a SANS course on analyzing malware.

Keywords:
3 comment(s)

Comments

Could this be related to patch updates or antivirus program updates?
power glitch? and what malware protection do they company use?
This could also be caused by WSUS releasing a patch with a deadline set. But then again he says the logs show nothing.

Diary Archives