how to deny "sudo su"

In order to properly avoid this you must take a different approach.
If you disallow sudo su I can still run sudo -u root /bin/sh if you disallow this I will write a small wrapper script and execute this...

The only way to solve this is to only allow the needed commands.

% sudo ALL = (ALL) NOPASSWD: ALL

You have effectively given the users in the sudo group full unrestricted control over your system. Trying to deny them access to the su binary is as others have noted futile as they already have root privilege via sudo and membership of the group.

You should analyse the workflow of the users in the sudo group to determine which commands they need to run as root and use sudo to give them privilege access to those commands only. If necessary write scripts and give the sudo group access to run the script (make sure they don't have write access to it though) rather than the individual commands within it.

For example you may determine that your users need to be able to use kill and all of the commands in the directory /usr/local/sudocmds (where your local scripts live) so you would give them sudo access like so

%sudo    ALL=NOPASSWD: /usr/bin/kill, /usr/local/sudocmds

You can use command aliases too

Cmnd_Alias     PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias     DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump

%sudo ALL=NOPASSWD: PRINTING, DUMPS, /usr/bin/kill, /usr/local/sudocmds

Which adds the commands in the PRINTING and DUMPS Cmnd_Alias to the list of commands that the sudo group can run.

Take a look at the sudoers man page for more information and examples.