Here is what i think...
1. As long as botnet is running legit miner software, the blocks are just fine and will benefit the Bitcoin network as far as hashing power is expected. Running disruptive software and hurting Bitcoin network is not profitable for owner. It can only make short term lulz.
+1. Most likely they (botnet ops), will create private pools, concentrating all the mining power they have on there.
2. Most infected machines are low-end ones, with Intel crap cards and very few high-end ATI cards. Probably the most likely user getting infected is noob beginner or office computer. They predominantly are Celeron/Sempron/i3 and similar low spec machines. High-end rigs usually is controlled by smarter people, and infestation is more likely to be detected and removed.
There are lot of "noobs" out there. There are office computers too, there are older people who don't have deep understandng of computers. Even if most of the computers have low end CPU's, infecting great amount of computers will give great speed.
3. Running CPU miner can lead to detection and is unprofitable by itself. You more likely will get your botnet reduced in size because people reinstall they computers than get more profit than sending emails or DDoSing.
Not necessary. CPU mining can be done when computer is idle and noone is going to notice. For example, how often do you check what computer do when is idle? This is the smartest choice assuming great amount of PC's are not being turned of at the end of shift, etc. making detection even more difficult. There isn't even need to bother infecting cumputers. Take some fancy screensaver (most of the modern can use GPU power), include the miner in it's code, and upload it on multiple sites. Ah... too bad i'm not a programmer myself
But this is scenario that is most likely to happen.
