http://www.heise.de/ct/artikel/Aufstand ... 60334.html (German extract, full article behind paywall)

Routers running unpatched WRT software (Asus, Linksys, TP-Link, Bufallo among others) are susceptible to a botnet. The botnet uses a hole that WRT closed a while back, but most router manufacturers haven't gotten around to implementing the fix, even in new routers, let alone updating old routers.

It slips in a script (/ etc / init.d / rcS (withouth the spaces, the forum objects), which is in the Linux equivalent of the Autostart folder in Windows) and a command (dsniff) to sniff all packets going through the router. This means that it affects all traffic on the network, regardless of whether it is a PC, a tablet or a smartphone. It can only affect routers accessible from the Internet side (open remote ports for http/https, which has a bug). Routers shouldn't be accessible from the Internet side anyway, so unless the manufacturer incorrectly configures the router or the user opens up the ports to the outside world, there shouldn't to many problems.

That said, c't used the Shodan search engine to look for affected routers and they found over 25,000 devices.

They also managed to get (legal) access to a few infected routers and could trace the botnet back to two servers that were still active, one in Estonia and one by 1&1 in Germany, is being investigated by the LKA Niedersachsen (Lower Saxony state police).

Edit: sorry, the botnet owners stopped using the 1&1 server in August, the LKA didn't take it down. They had taken over the server by getting the credentials of the owner over his hijacked router. The owner of the server was innocent, they just set up an anonymous dropbox for collated data on his server.