Anyhow, using this lack of need for password, a script can attempt to load a few images known to be served by different routers, one at a time. If the loads fail, it tries another one. Here's some code that does this:
It can sometimes be difficult to access these images on the routers without a password (not all will provide a logo without the user first logging in). It is surely possible to do that on some routers, but not all. So instead of a linear discovery approach (one step at a time), like what an investigating scientist usually does, an attacker can take another approach too: flood the router with configuration change attempts, hoping one works.
The two methods can be considered in this analogy: Say you are flying somewhere with five of your friends who each speak a different foreign language. When you get there, you need to tell the taxi driver who meets you where to take you. You don't know what country you're in, so you don't know which language/friend to use.
A first method is careful: you look at what he's wearing, the car he's driving, and maybe look inside his pockets for an ID or money. Once you've deduced based on this evidence where you are, you can try giving the driver directions in the language that is your best guess. If that doesn't work you can, one at a time, try speaking to the driver in a different language, but if you've done your research you will be right the first time. This is like the one-step-at-a-time approach that you mention. The problem with this is that the driver may not let you see his pockets' contents, so you might need to resort to guessing.
Alternatively, the six of you can all just walk up and start telling him where to go in different languages all at once. He will be a little confused at first, but will respond to one of you, the one speaking the language he recognizes, and that person can tell him where to go. This is the flood approach. It's messy, but you don't have to coordinate your friends and poke around in his car (where he may not let you go).
To take this back to the technology, lets say for example that ten router models make up a good portion of the market. An attacker can take advantage of this. Instead of "profiling" the router (as discussed in the tech report) he can simply try sending the configuration request for one of the ten most popular. If it fails, the code tries again with another request. This keeps going until it works or all requests have been tried. Additionally, all ten might be attempted at once.
Both methods (linear discovery and multiple requests in parallel) are possible, yet the parallel-flooding attempt seems scarier since it requires less investigative work (and much simpler programming) to work.
To boil this down, the drive-by pharming attack is not a completely specified problem. There are many ways to attack home routers from the inside, and many techniques can be used based on the types of targets an attacker may be interested in.
On a lighter note, here are some fun blog comments from Slashdot regarding drive-by pharming:
1) Drive by pharm,
2) Stop. Park.
3) Milk cows.
4) Feed chickens.
5) Slop pigs.
6) Stack hay.
We'll chase off the Pharmers with our phlaming torches and pitchphorks!
(Previously: drive-by pharming)