I have read that the possible intent of this Botnet is to either inflate CPM`s for publishing websites, or harvest onsite emails for captcha boxes that require cookies. However, the email capture would require a crawl of the whole website - thus this reason seems less feasible. Most of the traffic is from USA and language=us-en this supports that idea that it is CPM intent (as non-USA traffic is generally filtered out by the banner networks).
If anyone is able to contact one of these effected IE users (e.g. via a popup), it would be really interesting to run the HiJackThis diagnostic tool, and then ask the user to post the report-output. The report should highlight any IE plugin or malware etc. http://www.trendmicro.com/ftp/products/hijackthis/HiJackThis.msi
Installing ClickTale on the homepage, then playing back a session would lso be interesting to seen, as this records page scroll and mousemovements byy default: www.clicktale.com
-------------------------------- OFF-TOPIC Note to GA team (or Apple iOS team) - Please update the GA log parser to separate-out "Mozilla Compatible Agent (web)" from "Mozilla Compatible Agent (mobile)".
"Mozilla Compatible Agent on mobile" is legitimate traffic from AppleWebKit from browsing within MobileApps. "Mozilla Compatible Agent on web" is generally robots from SiteConfidence bot, YahooNews bot, or Ask.com bot.
Examples: GOOD: "Mozilla Compatible Agent" on iPhone Mozilla/5.0+(iPhone;+U;+CPU+iPhone+OS+4_3_3+like+Mac+OS+X;+en-gb)+AppleWebKit/533.17.9+(KHTML,+like+Gecko)+Mobile/8J2
GOOD: "Safari" on iPhone Mozilla/5.0+(iPhone;+U;+CPU+iPhone+OS+4_3_1+like+Mac+OS+X;+en-us)+AppleWebKit/533.17.9+(KHTML,+like+Gecko)+Version/5.0.2+Mobile/8G4+Safari/6533.18.5
BAD: SiteCondence, Gomez and Ask.com on Web Mozilla/5.0+(Windows; U; Windows NT 5.1; en-gb; SiteCon/8.8.14) Mozilla/4.0+(compatible; GomezAgent1.0; MSIE 7.01; Windows NT 5.0) Mozilla/5.0+(compatible; Ask Jeeves/Teoma)