The cluster of hijacked computers, called the "Bahama botnet" because it was redirecting traffic through hundreds of thousands of parked domains in the Bahamas, has also been linked to the spike in scareware attacks, including the recent advertising server attack against the New York Times.
Here's the explanation from Click Forensics researchers:
Clicks on organic search results are redirected through a series of parked domains across a number of top-tier ad providers (search engines and ad networks), eventually arriving at an advertiser unrelated to the original query. The user is momentarily confused, but likely just performs the search again, this time with easy success.
What makes the botnet so insidious is that it operates intermittently so that the user doesn’t really know that anything is wrong. Additionally, it can operate independently of the user because the authors appear to be building a large database of authentically user-generated search queries. And because the queries come from many different machines (IPs) across a broad segment of the Internet population, it is very difficult to find and identify these clicks as fraudulent. But these auto-generated clicks were not able to disguise themselves well enough to escape Click Forensics anomaly detection algorithms. Additionally, large amounts of non-converting clicks were spotted in the data we receive from advertisers. From there, our team was able to hone in on the source of the Bahama botnet.
This video shows the botnet in action: