Nice explanation D&T!
The DDos attacks almost seem like a distraction, or a synergistic attack - but the maleability issue seems to come from an intention to steal coins transaction by transaction.
You guys agree or what?
NO. Malleability does NOT (directly) enable one to steal coins.
In a given transaction, the inputs, outputs and amounts ARE signed by the sender. One CANNOT change that without invalidating the transaction. However one can pad additionnal data to the transaction, which results in an equally valid transaction, but with a different txid. (because the txid is the hash of the transaction). That transaction has the SAME effect that the original transaction: The "mutator" cannot take the coins.
HOWEVER, if the sender ONLY checks for txids to know if a transaction went trough, then it the mutated transaction went trough instead of the original, then it'll falsely believe that the transaction failed, and may send a new transaction. The receiver may then have recieved the money twice.
Thus one should NEVER check for txids, to verify transaction, and instead, check for inputs, outputs and amount to acertain that. Mt.Gox's software only checked for txids, and is now confused by all this mutability issue.