Is there any known connection between PhotoMiner and Linux.Lady aside from them both mining Monero? They both also seem to target open ports, FTP server ports in the case of PhotoMiner and Redis database server ports in the case of Linux.Lady
Are there any estimates about the current cumulative Monero botnet hashrate?
Although its common practice for malware, they both try to locate and infect vulnerable machines and services (PhotoMiner: FTP servers, Linux.Lady: Redis servers), what caught my attention was this excerpt from the GuardiCore webpage with an analysis of the PhotoMiner malware:
Recent variants of the malware have upgraded this attack by adding server-side code injection and attempting to install a Linux based miner.
They didn't went into detail about the Linux variant so I can't say how close it is to Linux.DownLoader.196 used by Linux.Lady. The Softpedia article also goes on about other possible similarities:
Just like PhotoMiner, Linux.Lady comes with self-propagation features. The trojan includes a function that detects the IP address of the infected computer, scans the local network, and probes for other vulnerable Redis servers that don't feature a password on the admin account.
About how much of the hashrate is dominated by botnets I would say its minimal:
My view is that botnets "dominating" mining, after working out reasonable assumptions about hash rate of the network and of bot nodes, would require many hundreds of thousands to millions of botnet nodes and if that were going on, it would have a huge visibility footprint. Since no such thing is visible, it almost certainly isn't happening. Smaller botnets exist.
And he was proven right.
As we can see malware like these (CPU-intensive) are spotted pretty quickly, but as there are a large amount of unprotected and unattended machines over the web your guess is as good as mine.