Some time ago I was using my honeynet (part of the Honeynet Research Alliance) to study so-called "non-root" attackers, who get user-level access and are perfectly happy with it. My GCIH "thesis" actually had some specific research. I did mention DDoS client installation as one of the uses I observed.
Nowadays, it looks like its becoming more common - check it out:
» Disturbing developments in DDoS attacks Threat Chaos ZDNet.com: "The hacker used a common mis-configuration in PHP scripts to take over Linux machines and use them for his army of zombies. "