Not environmentally sound, but send personalized lists of candidates by postal service to each voter with candidate numbers scrambled in a way known only to the voting server. Then when voting online, the voter uses the peronalized number for the candidate. Malware won't know what candidate numbers the voter has, but the server receiving them will. Malware can thus only affect the outcome by voting on random candidates on behalf of the voter instead of on the candidate the voter wanted.
Unfortunately the chosen candidate can not be verified back to the voter until the vote has been committed and can no longer be changed, otherwise malware could iterate through numbers to see which candidate is which.