In the case of this attack, compromised servers were pointed to an incorrect address for the root entries for the entire .com domain, allowing the hijackers to reroute traffic to any server with a .com address.
The people responsible for the attack seem to have used multiple methods including DNS poisoning, bugs in products from both Microsoft Corp. and Symantec Corp., and spyware to do their terrible deeds.
"After monitoring the situation for several weeks now, it has become apparent that the attackers are changing their methods and toolset to point at different compromised servers in an effort to keep the attacks alive. This attack morphed into a similar attack with different IP addresses that users were re-directed towards." - Kyle Haugsness, incident handler at SANS.