Telcos send routers with default passwords to their customers, who never change them, and once they're compromised, they automatically scan neighboring IP space for more vulnerable routers from the same ISP.
More than 40,000 infected routers from 1,600 ISPs all over the world have been documented. They're enlisted for massive denial-of-service attacks, and in their spare time, they crawl the rest of the Internet and recruit more ISP-supplied equipment to join them or snoop on their owners' traffic.
If this seems bad, remember that the Internet of Things is coming, and every lightbulb in your house will have the smarts to participate in a botnet, and will be supplied by a company that lacks the smarts to prevent it.
DDoS attacks are only one of the threats that result from router hijacking. Router compromises may also make it possible for attackers to eavesdrop on communications and penetrate other parts of a home or business network. Readers should ensure their routers aren't vulnerable by disabling all remote access unless it's specifically needed. Readers may also visit this site to see if Internet ports commonly used for remote administration are open. Readers should also ensure that router passwords have been changed to something that's strong and that firmware is up to date.
Researchers uncover “self-sustaining” botnets of poorly secured routers [Dan Goodin/Ars Technica]