That lets the malware change the address for your bank, say CitiBank.com, from the real site to one that looks exactly like it-but is designed to steal your identity.
In order to attack your system, the malicious script needs the username and password that control access to the router's configuration. Way too many people leave these set to the default values, which are readily available at web sites like Default Router Passwords Database.
By simply switching to a strong password you derail this attack. Simple and free! Whew!
UPDATE: You can read Zulfikar Ramzan's full explanation of drive-by pharming here.