Apparently it is to do with a theme/plugin vulnerability:
http://blog.sucuri.net/2011/08/wordpress-sites-hacked-with-superpuperdomain-com-attacking-timthumb-php.html
http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html