You can read their first-person account of the discovery here, which insists that registering the domain "was not a whim. My job is to look for ways we can track and potentially stop botnets..." Friday they also tweeted a map from the New York Times showing that registering that domain provided more time for U.S. sites to patch their systems. And Friday night they added "IP addresses from our [DNS] sinkhole have been sent to FBI and ShadowServer so affected organizations should get a notification soon. Patch ASAP."
UPDATE: Slashdot reader Lauren Weinstein says some antivirus services (and firewalls incorporating their rules) are mistakenly blocking that site as a 'bad domain', which allows the malware to continue spreading. "Your systems MUST be able to access the domain above if this malware blocking trigger is to be effective, according to the current reports that I'm receiving!"