Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Unexpected mass reboots are worth investigating - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Unexpected mass reboots are worth investigating

An ISC reader told us that his company observed a large number of their PCs unexpectedly reboot at around 18:00 Central Time yesterday, with nothing in the event logs to show a shutdown sequence.

Is this organization dealing with a large-scale malware infection? Possibly. A malicious program could be rebooting the systems to embed itself deep in the OS, or to disable an anti-virus tool. Of course, the reboots could also be the result of a less malevolent incident, such as a bug in a benign program.

Regardless, unexpected mass reboots are certainly worth investigating. Anyone else encountering them lately?

-- Lenny

Lenny Zeltser - Security Consulting
Lenny teaches a SANS course on analyzing malware.


216 Posts
Jan 22nd 2009
Could this be related to patch updates or antivirus program updates?

7 Posts
power glitch? and what malware protection do they company use?
This could also be caused by WSUS releasing a patch with a deadline set. But then again he says the logs show nothing.

32 Posts

Sign Up for Free or Log In to start participating in the conversation!