The Anti-virus Times

Dell warned some users of PowerEdge R310, PowerEdge R410, PowerEdge R510, and PowerEdge T410 that malware could be present in the server motherboard firmware. A message published on Dell's customer support forum indicated that a small lot of PowerEdge R410 motherboards was shipped with malicious code embedded in the server management firmware.

http://en.community.dell.com/support-forums/servers/f/956/t/19339458
http://www.channelregister.co.uk/2010/07/21/dell_server_warning
http://ria.ru/science/20100721/257059385.html#ixzz4CV0afA4N

If Trojan.Rbrute has done its job in a system, users can be redirected to other sites that have been specially crafted by intruders.

Typically, an attack is carried out as follows:

1. Win32.Sector infects a system and downloads Trojan.Rbrute onto the machine.
2. Trojan.Rbrute receives a command to search for Wi-Fi routers and the password dictionary from a command and control server.

   The malware can mount brute-force attacks on the following Wi-Fi routers: D-Link DSL-2520U, DSL-2600U, TP-Link TD-W8901G, TD-W8901G 3.0, TD-W8901GB, TD-W8951ND, TD-W8961ND, TD-8840T, TD-8840T 2.0, TD-W8961ND, TD-8816, TD-8817 2.0, TD-8817, TD-W8151N, TD-W8101G, ZTE ZXV10 W300, ZXDSL 831CII, and some others.

   Trojan.Rbrute uses 'admin' or 'support' as a login.

3. If successful, Trojan.Rbrute modifies the router's DNS server settings.
4. When another 'healthy' machine attempts to connect to the Internet through the compromised router, the user is redirected to a specially crafted web page.
5. From this page, Win32.Sector malware is downloaded onto the computer, which subsequently gets infected.

http://news.drweb.com/show/?c=5&i=4271&lng=en

Altering a device's routing table was a distinguishing feature of attacks involving Trojan.Dyre.

http://news.drweb.com/show/?c=5&i=9829&lng=en

Added to the Dr.Web virus database as Linux.PNScan.1, the Trojan was supposedly installed on target machines by an attacker who exploited vulnerabilities like shellshock by launching the relevant script. Later it was downloaded and installed onto routers by Linux.BackDoor.Tsunami Trojans, which in turn were spread with the aid of Linux.PNScan.1.

http://news.drweb.com/show/?c=5&i=9548&lng=en

The company Mandiant has published the results of their research into the backdoor SYNful Knock which targeted Cisco routers.

The backdoor gets onto routers by using a modified Cisco IOS image. Intruders use a secret backdoor password to gain remote access to the router through the console and Telnet. The backdoor maintains its presence after a system restart. To overwrite the OS image, attackers use stolen account information and standard administrator passwords (users often forget to change default passwords).

According to the research, Cisco routers 1841, 2811 and 3825 are vulnerable to attack.

The attack described above is similar to the method that Cisco itself put forth as a possible scenario in August of last year. At that time, the company warned its customers that attackers could couldreplace the ROMMON (ROM Monitor) firmware with an altered copy. This method didn't require the use of any exploits. Attackers gained access to devices using actual logins and passwords which would appear to indicate that company employees—router owners or people who can access the device—participated in the attack.

Cisco routers aren't unique. Similar attacks can be mounted on devices produced by other manufacturers. For example, many researchers have published information about the malicious code in the operating system made by Juniper Networks.

https://habrahabr.ru/company/pt/blog/267141