Spyware grabs data *before* SSL encryption

Yes, you heard me correctly.

http://isc.sans.org/presentations/banking_malware.pdf

Describes an attack on IE where a file named img1big.gif installs and runs an IE Browser Helper Object that steals information before SSL transmission and sends copies to http://www.refestltd.com/cgi-bin/yes.pl

Visit the wrong website and IE is invisibly bugged. The thing that is scary is that the gif image is decompressed (UPX compression) and installed with a trojan dropper, then the data is sent using a very crude encryption algorythum. This is designed to beat filtering solutions designed to scan traffic for key words. If you do online banking, be sure to check this out.

thanks for the heads up
will norton or mcaffe stop it?

I'm not exactly sure at the moment. I can tell you that it is picked up as Small.AA by Kaspersky. This info was mentioned on the trojan horse mailing list earlier today.

I sure wouldn't consider this just spyware any more. It definately maleware, but has to be illeagle to use such a trojan also.