CCIE Security Blog

This Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI identified Trojan malware variants used by the North Korean government. This malware variant is known as TYPEFRAME. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.

Here is easier way to do it without a need to manually enter one by one IP in the firewall.

• Build a simple web server (all default settings are fine)
• Create a text file and place it in default web directory (this text file will be updated with new IP address entries, just keep adding them on the bottom of the list)
• Use “External Dynamic List” object from firewall to create a new Dynamic object list. In the object you will enter url for a new web site:

As you can see I have two web sites: 10.238.222.54/pan.txt and 10.238.222.54:8080/pan1.txt

One is used to block IP addresses as per different security bulletins and second is used to block ip addresses specific to certain cases.

You can build new website for different blocking purposes (one to block URL, another to block IPs, etc) that will be distinguished with different port number.

• Setup External Dynamic List to update itself every 5 min.
• Call this dynamic list from firewall block rule. Use External Dynamic list object as a source (PAN-Amazon….)

Here are results:

Here is my web structure:

And here is my blocking text file:

So you can setup a block rule, start pinging one of blocked IP (it should be allowed) and watch how ping gets dropped after firewall updates its rule after 5 min.

Let me know if you have any questions.

Regards,