WASHINGTON, June 23 - For thousands of Internet users, the offer seemed all too alluring: revealing pictures of Jennifer Lopez, available at a mere click of the mouse.
But the pictures never appeared. The offer was a ruse, and the click downloaded software code that turned the user's computer into a launching pad for Internet warfare.
On the instructions of a remote master, the software could deploy an army of commandeered computers - known as zombies - that simultaneously bombarded a target Web site with so many requests for pages that it would be impossible for others to gain access to the site.
And all for the sake of selling a few more sports jerseys.
The facts of the case, as given by law enforcement officials, may seem trivial: a small-time Internet merchant enlisting a fellow teenager, in exchange for some sneakers and a watch, to disable the sites of two rivals in the athletic jersey trade. But the method was far from rare.
Experts say hundreds of thousands of computers each week are being added to the ranks of zombies, infected with software that makes them susceptible to remote deployment for a variety of illicit purposes, from overwhelming a Web site with traffic - a so-called denial-of-service attack - to cracking complicated security codes. In most instances, the user of a zombie computer is never aware that it has been commandeered.
The networks of zombie computers are used for a variety of purposes, from attacking Web sites of companies and government agencies to generating huge batches of spam e-mail. In some cases, experts say, the spam messages are used by fraud artists, known as phishers, to try to trick computer users into giving confidential information, like bank-account passwords and Social Security numbers.
Officials at the F.B.I. and the Justice Department say their inquiries on the zombie networks are exposing serious vulnerabilities in the Internet that could be exploited more widely by saboteurs to bring down Web sites or online messaging systems. One case under investigation, officials say, may involve as many as 300,000 zombie computers.
While the use of zombie computers to launch attacks is not new, such episodes are on the rise, and investigators say they are devoting more resources to such cases. Many investigations remain confidential, they say, because companies are hesitant to acknowledge they have been targets, fearful of undermining their customers' confidence.
In one recent case, a small British online payment processing company, Protx, was shut down after being bombarded in a zombie attack and warned that problems would continue unless a $10,000 payment was made, the company said. It is not known whether the authorities ever arrested anyone in that case.
Zombie attacks have tried to block access to Web sites including those of Microsoft, Al Jazeera and the White House. In October 2002, a huge but ultimately unsuccessful attack was mounted against the domain-name servers that manage Internet traffic. The attackers were never caught.
Federal officials say the case involving the athletic jerseys was solved after some college computers in Massachusetts and Pennsylvania were found to be infected with software code traced to a user whose Internet name was pherk. That hacker, a high school student in New Jersey, told investigators that he was acting at the behest of a merchant - the owner of www.jerseydomain.com.
The merchant, an 18-year-old Michigan college student, could face trial later this year in a federal court in Newark. The case offers a rare glimpse both into the use of zombie computers and into the way that law enforcement officials are trying to combat the problem.
More than 170,000 computers every day are being added to the ranks of zombies, according to Dmitri Alperovitch, a research engineer at CipherTrust, a company based in Georgia that sells products to make e-mail and messaging safer.
"What this points out is that even though critical infrastructure is fairly well secured, the real vulnerability of the Internet are those home users that are individually vulnerable and don't have the knowledge to protect themselves," Mr. Alperovitch said. "They pose a threat to all the rest of us."
Mr. Alperovitch said that CipherTrust had detected a sharp rise in zombie computers in recent months, from a daily average of 143,000 newly commandeered computers in March to 157,000 in April to 172,000 last month.
He said that the increase was attributable to two trends: the rising number of computers in Asia, particularly China, which do not use software to protect against zombies and the worldwide proliferation of high-speed Internet connections.
Aside from the use of tools like CipherTrust's within businesses, experts say consumers can largely make their computers off limits to zombie activity by using up-to-date antivirus and antispam software.
One factor helping those seeking to create zombie networks, known as botnets, is the increasing use of high-speed Internet connections in the home. Aside from being able to handle (and generate) more traffic, such households are more inclined to leave computers running - the computers recruited as zombies need to be on when called by the master.
Eric H. Jaso, an assistant United States attorney in Newark who is prosecuting the New Jersey case, said the zombie cases often wind up damaging more than just the target.
"The effects of these attacks on the Internet itself are far ranging and highly damaging to innocent parties," he said. "The ripple effect is that when one server is attacked, other servers are affected and damaged. Web sites crash. Backup systems become unavailable often to entities like hospitals and banks that are part of the critical infrastructure of the country."
The overall damage in the New Jersey case is estimated by the authorities at $2 million.
That investigation began last July 7, when an online sports-apparel merchant, Gary Chiacco, told federal authorities that traffic to his site, jersey-joe.com, had been disrupted for several days, at a cost of hundreds of thousands of dollars of lost sales. When customers tried to gain access to the site, they would be greeted with an error message.
The attacks continued through the fall of last year and became so severe that they affected service to other customers of the Web-site hosting company used by Jersey Joe.
The host company ultimately told Jersey Joe to go elsewhere, as did two other companies that it then tried to use and that suffered problems from the zombie attacks.
Federal and state investigators say the case was cracked through a combination of luck and sleuthing. While the F.B.I. continued to monitor the attacks on Jersey Joe, student computers at colleges in Massachusetts and Pennsylvania were found to be infected with the software that converted them into zombies.
Hackers "find computers on colleges to be particularly attractive because they have a larger bandwidth and are able to send more packets of data," said Kenneth R. Sharpe, a deputy attorney general in New Jersey involved in prosecuting the case.
A close examination of those computers disclosed the software had been trying to communicate with a user named pherk. Investigators traced the name and an Internet computer address to a 17-year-old high school student from Edison, N.J., named Jasmine Singh.
Confronted by law-enforcement authorities, Mr. Singh acknowledged his involvement and said it was at the behest of an 18-year-old businessman, Jason Arabo, whom he had met through a mutual friend. Mr. Arabo ran a sports jersey business from his home, selling online at www.customleader.com and www.jerseydomain.com.
Investigators determined that Mr. Singh had spread the rogue software through file-sharing networks like Kazaa, using the Jennifer Lopez come-on, and instructed the zombie computers to attack two of Mr. Arabo's competitors - Jersey Joe and another online shirt company, Distant Replays of Atlanta. His compensation, he said, was three pairs of sneakers and a watch.
The F.B.I. then set up a sting operation against Mr. Arabo. According to court papers, an undercover investigator held a series of instant-messaging chats with Mr. Arabo on America Online in December. Mr. Arabo told the undercover agent that he had previously recruited Mr. Singh and that those attacks had not done enough harm to keep his rivals offline, the court papers assert.
According to the court papers, Mr. Arabo asked the agent to mount denial-of-service attacks against rivals in exchange for sports apparel and watches. In later chats that month, he asked the agent to "take down" Jersey Joe's server and redirect its Internet traffic to a pornographic site, the court papers say, and repeatedly asked the agent to "hit them hard."
Mr. Arabo, a student at a community college in a Detroit suburb, was arrested in March and charged in a federal criminal complaint with conspiracy to use malicious programs to damage computers used in interstate commerce. He remains free on $50,000 bail and the condition that he stay off computers and the Internet. (The jerseydomain.com site now carries the notice "Under New Management.") He faces a maximum sentence of five years.
His lawyer, Stacey Biancamano, did not respond to several messages seeking comment.
For his part, Mr. Singh pleaded guilty last month in New Jersey Superior Court to charges of computer theft. Under a plea agreement, he faces a maximum sentence of five years at a youth correction center when he is sentenced in August, but the state prosecutor's office says it will not object to probation.
Mr. Sharpe, the New Jersey prosecutor in the case, said that Mr. Singh had boasted to his high school friends about his ability to create the zombie networks. "It was an ego thing," Mr. Sharpe said. "Hacking in its purest form is not about compensation or about wrecking a Web site. Hacking in its pure form is to show what you can do."
