The nodes likely are running a modified stipped down version of bitcoind. It doesn't keep the blockchain, it doesn't need a db, it doesn't even need logs. It simply connects to peers and looks for inv messages. When inv message occurs the nodes internally use the last block hash, current time, no tx, the simplified coinbase, build a merkle tree consisting of 1 tx, build block header and start hashing. Likely not all nodes are even running this. To isolate the botnet only a "few" (as a % of total nodes) would need connections to bitcoin network. They could rely new block notifications in p2p fashion to the rest of the swarm.
If this is the issue, and there's a good chance that it is, there are three possible solutions:
1) Make it more difficult for listening nodes to get what they need to process a block with no transactions.
2) Make it easier for listening nodes to get what they need to process a block with transactions.
3) Raise the transaction fees so that there's enough incentive for botnet operators to get transactions into their blocks.