The "Nine Ball" mass compromise has attacked about 40,000 computers this month. This attack is acquired when a user visits an infected site. It does not however change a users browsing experience. Users, infected with "FFsearcher" ( the name of the malicious tool ) will continue web browsing uninterrupted while the trojan works in the background under the veil of a hidden Internet Explorer window.
This attack utilizes Google's AdSense for Search tool and generates fraudulent clicks against Google's Adsense programs while a user conducts normal searches. Normally victims of attack are simply redirected to a bogus search engine, which is an immediate give-away to the infection. This attack is all about stealth. Search results from Google are returned normally--as they would absent of attack.
Another unusual aspect of this attack is that the FFsearcher device is not conducting click fraud against other advertisers ( as do many other attacks ). This attack simply generates a larger payout (from Google) for search ads--thus generating a larger profit for its ads.