Attackers commonly use multi-byte XOR because it provides better defense against the brute-force technique. For example, if a malware author uses 4-byte XOR key to encrypt the data and then to brute-force, you will need to try 4,294,967,295 (0xFFFFFFFF) possible keys instead of 255 (0xFF) keys. The following screenshot shows the XOR decryption loop of the malware (Taidoor). In this case, Taidoor extracted the encrypted PE (exe) file from its resource section and decrypted it using the 4-byte XOR key 0xEAD4AA34:

The following screenshot shows the encrypted resource in the Resource Hacker tool. The resource can be extracted and saved to a file by right-clicking on the resource and then selecting Save Resource to a *.bin file:

The following is a python script that decodes the encoded resource using a 4-byte XOR key 0xEAD4AA34 and writes the decoded content to a file (decrypted.bin):

import os
import struct
import sys

def four_byte_xor(content, key ):
    translated = ""
    len_content = len(content)
    index = 0
    while (index < len_content):
        data = content[index:index+4]
        p = struct.unpack("I", data)[0]
        translated += struct.pack("I", p ^ key)
        index += 4
    return translated

in_file = open("rsrc.bin", 'rb')
out_file = open("decrypted.bin", 'wb')
xor_key = 0xEAD4AA34
rsrc_content = in_file.read()
decrypted_content = four_byte_xor(rsrc_content,xor_key)
out_file.write(decrypted_content)

The decrypted content is a PE (executable file) as shown here:

$ xxd decrypted.bin | more
00000000:  4d5a 9000 0300 0000 0400 0000 ffff 0000  MZ..............
00000010:  b800 0000 0000 0000 4000 0000 0000 0000  ........@.......
00000020:  0000 0000 0000 0000 0000 0000 0000 0000  ................
00000030:  0000 0000 0000 0000 0000 0000 f000 0000  ................
00000040:  0e1f ba0e 00b4 09cd 21b8 014c cd21 5468  ........!..L.!Th
00000050:  6973 2070 726f 6772 616d 2063 616e 6e6f  is program canno
00000060:  7420 6265 2072 756e 2069 6e20 444f 5320  t be run in DOS