Someone not wanting to stick out might only probe headers that are less-often logged, but still possibly passed-along as environment variables. Has anyone logged 'HTTP_FROM' in a long while?
The shellshock scan is setting the Host header, which might set the SERVER_NAME CGI variable in some environments and is not included in the Common Log Format or widely used Combined Log Format (which adds the Referer and User-Agent). For example, Apache's httpd directive UseCanonicalName is set to "off" by default, allowing the client to set SERVER_NAME via the Host header, possibly passing it to vulnerable scripts.
Furthermore, an admin might use directives to log the requested host in a name-based virtual hosting environment to facilitate parsing. For example, when using Apache's httpd LogFormat/CustomLog directives, if "%V" is used as the format string and UseCanonicalName is set to "off", the string provided by the client in the Host header will be written to the log. Naive parsers might choke on this or even execute the code. If the shellshock scan results in a delayed surge of pings from a single host, this is likely to be the cause.
Apache actually passes along any HTTP header, even undefined ones, as CGI environment variables (of the form $HTTP_HEADERNAME) so an attacker could just make up a header and it would be very unlikely to be logged.
