Malware doesn't have to be built for 9x. Alot can be be fairly generic using APIs that exist in all versions of Windows. 9x may luck out due to an API not exisiting.
Even without any of those a user can simply download and run an executable that could use the machine as a host to infect other machines (assuming the exe runs on 9x).
To prove no malware concerns them put a 9x computer in the DMZ and browse on it regularly as a regular user does and without and browsers add-ons and see if anything happens and then at the end of the week scan it with a modern malware scanner and if nothing pops up you might be able to assume 9x is safe on the Internet, doubt it tho.
Of course anyone browsing the web on 9x today likely went through the effort of perusing this thread and knows what addons to use and how to browse to stay away from some of the culprits:
List of Web Browsers For All Operating Systems
Is using the following to browse TLS 1.2 sites on Windows 95/98/ME
Opera 10.70 Build 3488 (Primary) / RetroZilla TLS1.2 (Roytam1) (Alternate)
or is using KernelEX w/ Opera 12.02 Build 1578 (Primary).
or is using a proxy to browse new websites on old browsers....mabye someone decides to target people using proxies, sounds like a good target to me.
As for protecting old machines with a modern AV I know that Barracuda proxy scans using clamav or Avira. I don't know of any free or open-source proxies that do this but I haven't kept up them.
ClamAV still works on 9x