I read someone speculating that the performance issue was intentional, so infected machines could be easily identified by an internet wide scan without arousing further suspicicion.
If this is or becomes a widespread method, then anti-malware groups should perhaps conduct these scans themselves.
Very small differences in performance can be detected over the network as long as you have enough samples. Given that every port 22 is being hit by a gazillion attempts per day already, sample count shouldn’t be an issue.
So if distinguishing infected machines was their intention they definitely over-egged it.
If this is or becomes a widespread method, then anti-malware groups should perhaps conduct these scans themselves.