Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Unexpected mass reboots are worth investigating SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Unexpected mass reboots are worth investigating

An ISC reader told us that his company observed a large number of their PCs unexpectedly reboot at around 18:00 Central Time yesterday, with nothing in the event logs to show a shutdown sequence.

Is this organization dealing with a large-scale malware infection? Possibly. A malicious program could be rebooting the systems to embed itself deep in the OS, or to disable an anti-virus tool. Of course, the reboots could also be the result of a less malevolent incident, such as a bug in a benign program.

Regardless, unexpected mass reboots are certainly worth investigating. Anyone else encountering them lately?

-- Lenny

Lenny Zeltser - Security Consulting
Lenny teaches a SANS course on analyzing malware.


216 Posts
Jan 22nd 2009
Could this be related to patch updates or antivirus program updates?

7 Posts
power glitch? and what malware protection do they company use?
This could also be caused by WSUS releasing a patch with a deadline set. But then again he says the logs show nothing.

32 Posts

Sign Up for Free or Log In to start participating in the conversation!