It isn’t botnet, it’s a trojan. Kaspersky reported that they found a few (about 1000) instances of a Zcash miner running on their users’ computers, named after some other unrelated software, i.e. it was named minecraft.exe or whatever. I think they speculated that it was uploaded to a Torrent site in order to trick people into downloading it. So, that’s not a botnet.
Now, we have already been thinking of doing a backward-incompatible (“hard fork”) upgrade to (among other improvements) change the Equihash parameters from 200,9 to 144,5. Or we could possibly choose other parameters that would be better in light of what we’ve learned about Equihash implementation in the past couple of months. 200,9 takes about 140 MB of RAM, and 144,5 would take at least 500 MB of RAM.
What effect, if any, that would have on possible future botnets, I’m not sure. Since there aren’t any botnet implementations of Zcash mining yet, we can’t learn anything from studying them.
Switching to the 144,5 params would also reduce the size of Equihash solutions from 1344 bytes to 100 bytes, which has several benefits, including making it faster and cheaper to verify the Zcash blockchain inside the Ethereum virtual machine (for “Project Alchemy”).