Malware requires three things to :-
1) Some way of being run in the first place.
2) Somewhere to hide itself so that is run again
3) Ideally, some way of escalating its privileges so that it can hide itself deep inside the OS and hide its tracks and make removal tricky.
Windows may have more holes to make #1 possible, but Linux isn't completley free of vulnerabilities and exploits.
#3 is the key one, if it can become root then a well written bit of malware is nigh on impossible to spot or remove. Many people resort to reinstallation after being rooted. The vulnerabilities that allow privilege escalation may be being patched all the time, but there are still plenty out there, and every iteration of new software brings in a whole load of new holes. That and the average persons lack of awareness in updating and securing their systems properly.
#2 is relatively easy. Stuff a hokey version of 'cat' or 'vi' in "~/. " (with the space being a hard space) and put that in the PATH variable in their .cshrc or .bashrc. If it ever gets run as root then go to town...
How many people check pgp signatures of software they download before they install it? (The websites of some notable popular software have been hacked in the past. It doesn't take much to include a bit of malware in a commonly installed package).
How many people check the source of software they download, compile and install? (Installing often requires 'make install' to be run as root. Easy to sneak in something there that substitutes a malware infected version of 'cat' for the real OS version. Or bury something in the code itself to do something wacky if it's ever run as root.)
How many people login and run everything as root? (Newer distribs are getting better at discouraging this though.)
The main reason that Linux doesn't have many viruses and malware is that Windows is far more popular and a much easier target. It's not because Linux is amazingly secure or immune to it all. Many of the same tricks that apply to windows can be applied to Linux.
Remember, the hackers don't have to defeat people who understand security, patching and the like. They only have to defeat the average person who's just playing around with Linux and is unlikely to know exactly what they're doing. They've done a default install of Ubuntu and clicked yes to a bunch of stuff they don't really understand. 3 months later someone finds a vulnerability with the version of ssh in 8.05 and no-one does anything about it.
These will be linux boxes behind DSL routers with default passwords or webadmin systems accessible from the outside world. (My BT Homehub gets portscanned 3 or 4 times a day. I've got SNMP management and syslog forwarding setup. It's interesting to see how many dictionary attacks and random probes there are during a day just because it sits in a large IP block for DSL connections.)
The thing that would turn the Linux world on its head would be a concerted attack by everyone who's focusing their energies on Windows viruses/malware. It would get through it, eventually, and it'd be a lot stronger for all the attention, but it would take out a hell of a lot of systems along the way.
There are botnets out there with over 1 million Linux machines. Infection vectors are simple; improperly configured ssh daemons or weak passwords (especially when no-one is bothering to check the logs to see if there are thousands of login attempts per minute as it cycles through a dictionary attack), Web admin vulnerabilities, PHP vulnerabilities, Xvnc, old wuftpdaemons, exploitable bind daemons where users have selected a server install and left everything running, etc, etc.
If anything a locked down OS that auto-updates is a much better situation that the current situation where people install stuff and let it fester.
