Are we talking about (a) advertisers who have hacked AdWords accounts, or (b) consumers that click an ad that installs malware? These are very different subjects.
The impression I get is that the malware steals AdWords passwords (and perhaps other types of passwords as well)...so it's a bit of both (a) and (b).
BTW, tonight's Inside AdWords blog post addresses this issue briefly; it includes:
"On Tuesday, April 24th, Google identified and canceled AdWords accounts displaying ads that re-directed users to malicious sites. These sites attempted to install malware onto users’ computers. This is an issue we’ve taken very seriously and will continue to monitor. We are also evaluating our systems to ensure that the appropriate measures are in place to block future attempts."
[edited by: Rehan at 3:48 am (utc) on April 27, 2007]