The malware uses default credentials to infect the machines, meaning that it can be avoided by changing passwords and other security on devices. The malware exploits default login credentials on these consumer router devices.
It operates in 3 stages:
- install itself and remain installed even when the router is rebooted
- allows attackers to run commands and steal your data
- advanced plugins for sniffing etc.
While stage 1 will run again after a router is rebooted, stage 2 and 3 will not, as pointed out here. For this reason, the FBI has suggested that everyone reboot their router in order to disable stage 2 and stage 3 and to also allow the FBI to get a list of infected victims and the types of routers that are affected.