Do Bot net infections exist in the wild on Macs?
Yes.
My Mac got botted.
You have to do something really stupid to get botted, though. In my case, I created a separate user account for friends to use when they visited. It was named "Friend" with password "friend". That was dumb. (NEVER create an account whose password is empty, the same as the account name, or the account name spelled backwards. Those are the first three passwords an attacker will try.)
At the time, it was harmless. I didn't have Remote Login enabled, so there was no way for an outsider to even get to a password request.
But then I learned about ssh, and wanted a way to access my computer from outside. I configured my router to allow ssh from outside. I gave fleeting thought to passwords, but they were all strong except for the "friend" account, and that account was a non-admin account had been carefully configured to have no access to any of my data. My thought was: "I don't care if they log in as friend."
Then one day I discovered that my "friend" account had joined a botnet. It still had no access to any of my data, but was perfectly willing to contribute processor power and internet bandwidth to the cause.
As a non-admin, it could not install anything into /Applications, but it didn't need to. It installed an application directly into ~friend. It tried to clean up its tracks by removing the source files it was compiled from, but missed a few, enough to show that it was using the Darwin version of an IRC client. That is, the attacker knew they had reached a Macintosh, and wasn't deterred.
This attacker was clumsy. They made no effort to hide the application, leaving it unhidden right at the top lever of the home folder. They didn't clean up all the source files. They didn't even turn off the logs! They changed the password on the "friend" account (which was how I first spotted the intrusion). Why? I dunno. They didn't add any keys to ~/.ssh/authorized_keys, or leave any other back doors open. (Believe me, I searched, then wiped the account just to be sure.)
But this clumsy attacker still botted my Mac.
(BTW: according to the logs, I was lucky enough to detect the intrusion within hours. All they managed to do before I caught them was to log into an IRC server in Norway, and download some files from a porn site in Rumania. The attack appears to have come in from Los Angeles.)
In hindsight, opening a hole for remote login is dangerous, but the danger is manageable and the value to me of being able to login from outside is sufficient to warrant the risk. That's not the stupid thing I did.
The stupid thing I did was to have any account, even a useless throw-away account like this one, with a weak password.
For a long time after that, I monitored my security logs and internet connections intently, looking to see if I had overlooked anything. One thing I saw is that intruders probe throw-away account names, like "test", "test1", ... "test9", "ftp", "ftp1", ..., "ftp9", "web", ... "web9", "www", ... "www9", etc. along with common first names, like "Joe", "Bob", "Boris", "Dmitri", "Vladimir", "Katie", etc., presumably looking for weak passwords. (They also really hammer on "root", "admin", "admin1", ... "admin9", apparently taking the time to do full dictionary attacks on those.) The point here is that even a temporary "test" account needs a strong password. Same with the kids. Even your kindergartener needs a good password.
And the real point is: Macs can indeed be botted. We're not invulnerable, the attackers know it, and they are probing our defenses. This isn't abstract theory. The attacks are real, and when needed, Macintosh specific. I know. I've been there.
That having been said, most anti-malware software is useless on a Mac. Most attacks use social engineering, which anti-malware software is useless against. The software either looks for signatures of known viruses, or monitors for "suspicious activity". There is no known "suspicious activity" on a Mac, and the very ability to monitor the system in that level of detail would itself be an avenue for infection. (Little Snitch might be an exception to that: unplanned outgoing connections would count as suspicious activity.) And the bad guys can change their signatures too fast to make signature detection useless against any but the clumsiest attackers.
The best defense is vigilance.
Oh, and don't do anything stupid.