The trouble started on Saturday, when the criminals somehow placed the malicious ads on networks managed by Google's DoubleClick, as well as two others: YieldManager and ValueClick's Fastclick network, according to Mary Landesman, a senior security researcher with ScanSafe.
The attack comes just a week after the New York Times Web site was tricked into displaying a deceptive 'scareware' advertisement for fake antivirus software from scammers pretending to be ad buyers with Vonage, an Internet telephony company.
Instead of trying to trick Web surfers into buying bogus software, these ads attacked.
They would pop up a nearly invisible window in the victim's browser that contained a maliciously encoded pdf document, which included attack code that placed a variant of the Win32/Alureon Trojan horse program on the victim's computer. Sometimes, the ads would also try to exploit a previously patched flaw in Microsoft's DirectShow software, Landesman said.
"The user would have seen a very brief opening of a blank pdf window and it would be at the bottom portion of their screen," she said. The Alureon Trojan is known to download additional malware and often hijack victims' search results, she said.