I think, solution could be: let sudo check each parent executable. If it is named (file name, not invocation way) sudo, then real sudo will refuse to work. We can think about what happens, if attacker wr9te own bash to handle sudo invocarion in different way or define sudo alias.